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BACKGROUND OF THE INVENTION 



Field of the Invention 

This invention relates to the field of data processing systems. More 
particularly, this invention relates to anti computer virus systems that generate a user 
warning upon detection of a computer virus. 

Description of the Prior Art 

It is known to provide anti computer vims programs that apply tests for a large 
number of known virus types and characteristics. If a computer virus is detected, then 
a warning is issued to the user and the user is given the option to delete, quarantine or 
clean the infected file. 

A computer file infected with a computer virus may contain valuable data and 
accordingly the ability to clean that file rather than delete it is often highly 
advantageous. The cleaning and repair of a computer file typically involves the 
removal of the computer virus code from that file and the reversal of any changes 
made by that computer virus to the file. However, there are known computer viruses 
that produce changes to a computer file that cannot be automatically repaired. An 
example of such a virus is Wazzu which will infect a Word document and insert the 
text Wazzu at random points within that dociraient as well as swapping the position of 
some adjacent words within that document. Whilst it may be possible to remove the 
Wazzu insertions, detecting whether or not particular words within the document have 
had their positions altered is not something that can automatically be detected with 
certainty. There are also examples of computer viruses that infect Excel files and will 
modify data values within cells of that file in a manner that cannot be automatically 
detected. Depending upon how many times the computer virus has been activated 
within that file before it is removed, the degree of alteration that may have occvirred 
can vary significantly. 

SUMMARY OF THE INVENTION 

Viewed from one aspect the present invention provides a computer program 
product comprising a computer program operable to control a computer to apply a 
plurality of anti computer virus tests to a target computer file, said computer program 
comprising: 



(i) virus scanning logic operable to detect if said target computer file is 
infected with a computer virus; 

(ii) virus cleaning and file repair logic operable to remove a detected 
computer virus from said target computer file and repair damage caused by said 
detected computer virus to said target computer file; 

(iii) virus identifying logic operable to detect whether or not said detected 
computer virus is of a type that can cause damage to said target computer file that 
cannot be repaired by said virus cleaning and file repair logic; and 

(iv) warning generating logic operable if said detected computer virus is of 
a type that can cause damage to said target computer file that cannot be repaired by 
said virus cleaning and file repair logic to generate a warning to a user that said target 
computer file may have suffered irreparable damage. 

The invention recognises that whilst the provision of virus cleaning and file 
repair mechanisms is highly useful, it is also important to provide notification to a 
user that for specific viruses whilst a computer file may have been cleaned and a 
repair attempted, the file may also have suffered damage that cannot be detected or 
repaired. The consequences of data corruption being vmdetected after virus infection 
and cleaning/repair are potentially very serious and accordingly the additional 
notification of this possibility to a user in those specific cases where it can occur is 
highly beneficial. Issuing the warning only in those circiimstances where it could 
have occurred helps to maintain the impact of the warning to the user when it does 
occur. 

In order to maintain the flexibility of the system and allow it to rapidly cope 
with new threats and circumstances, preferred embodiments of the invention utilise a 
library of anti computer virus drivers which can be added to and modified 
independently of the controlling computer programs. Thus, should a new virus be 
discovered, then a new addition to the library can rapidly follow and be implemented 
relatively easily to provide protection to users against the new virus. The library 
provides a highly convenient mechanism for marking particular drivers which are 
associated with particular computer viruses as being ones that can give rise to damage 
that cannot be automatically detected and so would require human intervention to 
detect and repair. 



The library may also be used to specify particular types of warning that should 
be associated with particular detected computer viruses that may have caused 
irreparable damage. In this way, the message given to the user may be tailored to the 
particular file type and circumstances. 

As a flirther refinement to the system, a notification message may be inserted 
within the target computer file. This notification message then persists with the target 
computer file such that when the file is used in the future users will be warned that it 
may have suffered damage that was not repaired and accordingly those users should 
be wary of relying upon the integrity of that computer file. 

These notification messages also need to be made secure such that they cannot 
be faked and inserted within files which do not genuinely suffer fi-om this potential 
problem and accordingly preferred embodiments are such that the notification 
message includes authentication data identifying the target file into which it was 
inserted and an electronic signature applied by the warning generator logic. 

The special processing requirements that may be associated with files that 
cannot be properly repaired are better accommodated when, upon detection of a 
computer file infected in this way, the user is presented with different options for the 
further processing of that infected file than would be the case if a normal type of 
infection had occurred. 

Viewed from other aspects the invention also provides a method of applying a 
plurality of anti computer virus tests to a target computer file and an apparatus for 
applying a plurality of anti computer vims test to a target file. 

The above, and other objects, features and advantages of this invention will be 
apparent from the following detailed description of illustrative embodiments which is to 
be read in connection with the accompanying drawings. 



BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 schematically illustrates a library of computer virus detection drivers; 



Figure 2 is a flow diagram illustrating operation of anti virus computer 

software; 

Figure 3 is a diagram illustrating the insertion of a notification message within 
a repaired file; and 

Figure 4 is a schematic diagram of a general purpose computer which can be 
used to implement the above described techniques. 

DESCRIPTION OF THE PREFERRED EMBODIMENTS 

Figure 1 illustrates a library of anti computer virus drivers of the type that may 
be used to control an anti computer vims program. Each driver is associated with a 
test for a particular computer virus, virus class or virus like characteristic. In addition 
to the driver, embodiments of the library employing the present technique also include 
a flag indicating whether or not that virus can produce irreparable damage to a 
computer file which it infects. If irreparable damage is a possibility, then the library 
also includes data identifying which type of enhanced warning (in addition to the 
standard warning that is normally issued) should be issued to the user upon detection 
of that computer virus. 

In the example illustrated, the Wazzu driver is flagged as being one that can 
cause irreparable damage. As this is a virus that infects Word documents, the 
enhanced notification type is indicated as including insertion of a word banner into a 
repaired document to warn of the possibility of irreparable damage having occurred. 

Figure 2 is a flow diagram illustrating the operation of an anti computer virus 
program. At step 2, a scan for viruses is performed. This could be an on-access scan, 
an on-demand scan or a scan associated with operation of an E-mail scanning program 
or a web access scanning program amongst other examples. The mechanisms 
employed for this scan may in themselves be of a standard form. 



Step 4 tests to see whether a virus was found in the scan of step 2. If no virus 
was found then processing terminates. If a virus was found then processing proceeds 
to step 6. 

Step 6 looks within the library of drivers to find whether the driver file that 
identified the virus detected is associated with a flag indicating that that virus may 
produce irreparable damage. If irreparable damage is not a possibility, then 
processing proceeds to step 8. 

At step 8 the user is issued with a standard virus detected warning and the 
standard options for proceeding further. In particular, step 10 may give the user the 
options to clean and repair the file at step 12 or quarantine the file at step 14. There 
may be additional options at this point, such as to delete the file. 

If step 6 did determine that the virus detection could cause irreparable damage, 
then processing proceeds to step 16. Step 16 checks v^thin the library of drivers to 
determine the type of notification that should be issued as is associated with the virus 
driver that detected the virus concerned. This warning is then issued. 

At step 1 8, the user is presented with an expanded list of options as to how 
processing should proceed further given that the virus that has been detected is one 
that may have caused irreparable damage. As well as the options to quarantine the 
file at step 14 or to clean the file at step 20, an additional option of cleaning the file 
and adding a warning to the file is presented at step 22. 

If the user selects the option of proceeding to step 22, then the file that was 
infected with the virus concerned is cleaned in the sense that the computer vims is 
removed firom the file. In addition, repair may be attempted to reverse any changes 
made to that file that are of a nature to be capable of being automatically detected and 
reversed. In addition, a warning message is added to that file such that after cleaning 
and repair a user will be warned that the integrity of that file may have been 
compromised by its previous infection and accordingly the user should be on their 
guard. Depending upon the type of computer file concerned, this warning could take 
various forms. As examples, a Word docximent could have an additional page or 



banner inserted bearing the warning, an Excel spreadsheet could have an additional 
workbook inserted bearing the warning, various other files could have comments or 
REM statements inserted within them to carry the warning concerned. It is also 
possible that the notification warning might be stored elsewhere on the system, such 
as in an AUTOEXEC.BAT file to display a message to a user on startup to indicate 
that a specific file or the computer system as a whole may be carrying computer files 
that have suffered irreparable damage from a computer virus and accordingly may be 
compromised. 

Figure 3 schematically illustrates the infection, damage, repair and warning 
addition that may be associated with a Word document. An infected Word document 
24 carries the Wazzu virus. This vims can invert the positions of randomly selected 
word pairs within the document. This sort of modification is relatively subtle and not 
possible to automatically detect. Whilst the damage is subtle, it can be profound and 
seriously compromise the integrity of the infected file. Typically such a virus will 
progressively damage the file the more times the file is opened whilst infected. 
Accordingly, it is really a user judgement as to whether or not a repair should be 
attempted or whether the document should merely be discarded as it could not 
thereafter be trusted. 

When the document 24 is subject to scanning by an anti computer virus 
program, the infecting virus is detected and the option to clean the file and add a 
warning is chosen. The resulting clean document 26 no longer carries the virus but 
has been damaged in the sense that previously inverted word pairs are still inverted. 
An additional page is added to the document so as to be carried with that document 
and provide fixture warning to users of that document of its potential corruption. 
Security measures are associated with this warning notification to prevent it fi-om 
being readily faked. It would be possible for a malicious person without such security 
measures to insert fake warning messages in documents that had not in fact been 
damaged and this in itself could cause disruption and harm to a user. Accordingly, the 
inserted warning notification 28 is made difficult to fake by the insertion of a 
relatively complex logo, data identifying the file within which it was inserted and the 
date at which it was inserted and with this whole notification being electronically 
signed, such as with a PGP signature 30. Anti computer virus programs provided 



with the ability to insert such notification warnings may also be provided with a 
mechanism for checking and verifying the electronic signatures upon notification 
banners. 

Figure 4 schematically illustrates a computer 200 of a type that may be used to 
execute the computer programs described above. The computer 200 includes a central 
processing unit 202, a random access memory 204, a read-only memory 206, a hard 
disk drive 208, a display driver 210 and display 212, a user input/output circuit 214, a 
keyboard 216, a mouse 218 and a network interface circuit 220, all coupled via a 
common bus 222. In operation, the central processing unit 202 executes computer 
programs using the random access memory 204 as its working memory. The 
computer programs may be stored within the read-only memory 206, the hard disk 
drive 208 or retrieved via the network interface circuit 220 from a remote source. The 
computer 200 displays the results of its processing activity to the user via the display 
driver 210 and the display 212. The computer 200 receives control inputs from the 
user via the user input/output circuh 214, the keyboard 216 and the mouse 218. 

The computer program product described above may take the form of a 
computer program stored within the computer system 200 on the hard disk drive 208, 
within the random access memory 204, within the read-only memory 206, or 
downloaded via the network interface circuit 220. The computer program product 
may also take the form of a recording medium such as a compact disk or floppy disk 
drive that may be used for distribution purposes. When operating under control of the 
above described computer program product, the various components of the computer 
200 serve to provide the appropriate circuits and logic for carrying out the above 
described functions and acts. It will be appreciated that the computer 200 illustrated 
in Figure 4 is merely one example of a type of computer that may execute the 
computer program product, method and provide the apparatus described above. 

Although illustrative embodiments of the invention have been described in detail 
herein with reference to the accompanying drawings, it is to be understood that the 
invention is not limited to those precise embodiments, and that various changes and 
modifications can be effected therein by one skilled in the art without departing from the 
scope and spirit of the invention as defined by the appended claims. 



